What Are the New Data Protection Regulations?
The European Union is soon to enact new regulations that govern what data you can collect about your customers and how you can use it. This legislation is called the General Data Protection Regulation or GDPR. Of course, as the name implies, the GDPR is general and so it covers any organization that is collecting data about people. For our purposes here we will simply focus on the relationship between your business and your (potential) customers online.
The GDPR will come into force on the 25th of May 2018 which leaves you a year to get ready to comply. Along with the GDPR there is probably going to be a new update to the EU’s e-Privacy Regulation. This regulation goes into more specific detail for online data collection, storage and usage. The e-Privacy Regulation is still in the proposal stage and may still change but the legislators are targeting the same enforcement date as for the GDPR .
Why it is Important for Your Business to Comply
For European businesses the need to comply may be obvious but it is actually something businesses around the world should pay attention to. This is particularly the case for websites and online businesses as the GDPR applies itself to any business globally that collects data on EU citizens. If you are collecting data on your website and your website is visited by EU citizens, then the GDPR will hold your business accountable for what you do with that data regardless of where your business is based. The penalties for businesses that breach the GDPR can be severe with the biggest being a fine of 20 million Euro or 4% of global annual turnover – whichever is the higher.
The Most Important Aspects for Your Digital Marketing
For digital marketers there are a number of key pieces of the legislation that you need to know about. The following four points are the most important to get right in ensuring that your online data program is compliant.
1. Personal Data
The first is to understand what is covered by the GDPR and the e-Privacy regulation. I have already mentioned that the law applies to the data of all EU citizens but it is slightly more specific; it applies to their personal data.
Personal data is any data specific to a user that could allow them to be identified or singled out. This covers information like name, address, geographic location, phone number, email address, or identity number. However, it also covers online identifiers that can be a user name or IP addresses.
Perhaps the biggest change the GDPR will make to the current landscape is its idea of consent. Consent needs to be explicit, informed and freely given.
This means that under the GDPR the standard cookie notices seen on most websites will no longer suffice. The law requires that users give consent via an ‘affirmative action’. The user needs to take an active step to consent. Silence and implicit consent will not be enough. User data cannot be collected until consent is given.
Additionally, as the law insists on the consent being informed, businesses will need to tell the user exactly what data is being collected, how it is stored and what the business is using the data for.
The legislation also insists on an always available method for opting out of tracking. This means that at any point the website user should be able to revoke the consent.
3. Data Security
The security of people’s personal data becomes the responsibility of the data controller. The data controller is defined as the entity that decides on the purpose for and the method of data collection. So, for example, as owner of the website you are the data controller. You have to ensure that the tools and providers you use to collect, store and visualize your data have suitable security in place to protect your customers.
4. Data Location
Part of the GDPR’s efforts to protect EU citizen’s data extends to where that data is processed and stored. GDPR insists that the data is kept and processed in the EU or at least in a country that has similar data protections to the EU. You can find a list of these countries here.
This poses a problem when using tools with servers and data centres located in countries, like the United States, that do not have the equivalent data protections. The US-EU Privacy Shield allows companies in the US to sign a declaration that they will uphold the same standards with the data they store as the GDPR requires.
However, its validity is still being contested as EU legislators are concerned that with no law governing them, market forces will cause companies to use data in ways that contravene the law. Another concern is that even if the companies do abide by the terms of the Privacy Shield they are still operating under a law that may require them to reveal EU citizen’s personal data to their government.
The final concern that needs to be addressed when it comes to the location of the data is informed consent. If the data is being moved out of the EU this needs to be made explicit to the user when giving consent to their data being collected.
What Should You Do to be Ready for GDPR?
1. Anonymize IP Addresses
If you use a tool, like Google Analytics, to see behavior patterns in anonymized data on your website without identifying individual users, you are using aggregated website tracking. For this type of tracking there are only two data points that all websites need to be concerned with. These two primary points are the user’s IP address and the tool’s tracking cookie.
For the IP address there is a relatively simple way to ensure you are compliant and do not require user consent. Most of the tools used for aggregate website tracking allow you to anonymize the users IP address. By ensuring that this setting is switched on there should be no way to identify the user individually.
2. Determine if You Require User Consent
With the IP address anonymized we can now look at the tracking cookies. The proposed e-Privacy regulations provide an exemption to user consent for cookies for aggregate website tools. However, at this point in time it is not clear whether this exemption will be only for tools operated by the website or whether it will cover third-party tools like Google Analytics. This will become clearer as the new e-Privacy regulations are finalized and ratified.
3. Use a Self-Hosted Analytics Tool
With there being uncertainty over whether third-party tools will require consent the safest option would be to implement a self-hosted web analytics tool. These tools allow you to host an entire instance of the tool on your own infrastructure. This means that only your business has access to the data and you can be sure you will not need consent for your aggregate website tracking.
4. Get Opt-In
If you cannot use a self-hosted tool then you will have to get users to opt-in. There are two possible solutions for this.
The first is the Soft Opt-In approach. With this approach you must inform the visitor when they first arrive on your site that any further action taken on the site will be tracked. You must provide them the option to opt-out of being tracked at this point. This method is commonly used in European countries with strict existing data privacy laws like Germany. It’s unclear at this point whether it will still be acceptable with the new e-Privacy regulation.
The second approach is a hard Opt-In. This is the safer approach as it will definitely be compliant when the laws are published but is more intrusive for the user. With this approach you will ask the user for their consent before they can begin browsing the website. This can be done with a pop up box on the first page of their first visit.
5. Provide an Opt-Out Possibility
If you are required to get the users’ consent to capture their data under the new regulations, you need to provide them a way to change their mind and opt-out at any point. The law says that this needs to be always available to the user. The best way to do this would be to have a dedicated page detailing your tracking that allows users to opt out. This page can then be linked in your footer so that it is always present on your site.
6. Be Careful with User Profiles and Marketing Automation
If your business’ data program goes beyond aggregation and you set up user profiles , you need to put more thought into getting yourself ready for GDPR. This is particularly true if you are running a marketing automation program, retargeting or even manually targeted marketing. All user profiling activities and every type of marketing communication you send out based on these profiles requires the users’ consent. All of the personal data or profiling data you will be capturing and all of the direct marketing you will be sending them need to be specified at the time when you ask the users for their consent. Additionally a method for revoking their consent – opting out – should be provided.
Let us know if you have questions about the upcoming GDPR and proposed e-privacy Regulation. Check out our compliance and GDPR audits if you would like to make sure that your digital marketing is compliant.